Effective Privileged Access Audit

An Effective Privileged Access Audit is an elemental cyber security risk assessment measure that organizations enact to identify exactly how many individuals effectively possess privileged access ("Keys to the Kingdom") in their foundational Active Directory (the bedrock of their cyber security and the epicenter of privileged access), who they are and what level of access they possess today.

The process of performing an effective privileged access audit involves the accurate determination of effective access (i.e. effective permissions) provisioned in the organization's Active Directory because all privileged user accounts and groups are stored and managed in Active Directory and all privileged access/power is provisioned, delegated and controlled in/from within Active Directory.

A 30-Second Primer on Effective Access and Effective Privileged Access

Today, in most organizations, all building blocks of cyber security (e.g. user accounts, computer accounts, security groups etc.) are stored in Active Directory and protected by access control lists (ACLs) that specify who has what privileged access to/on them. In each ACL, access is specified in the form of permissions that can be allowed or denied to any user or group, directly or indirectly.

Since access can be specified for users and groups, be allowed and denied, and be specified directly (explicit) and indirectly (inherited), what determines the actual (effective) access a user has on a(ny) building block are his effective permissions i.e. the permissions that he actually ends up with, in light of the collective impact of every permission and its type (Allow, Deny, Explicit, Inherited).

Effective access is thus the actual access that a user has on a building block / IT asset, in light of the collective impact of all permissions and their types (Allow, Deny, Explicit, Inherited) in its ACL.

When – Considering that 100% of all major recent cyber security breaches (E.g. Snowden, Target, JP Morgan, Sony, Anthem, OPM) involved the compromise of just 1 privileged user, to minimize the possibility of a cyber security incident involving the compromise of a privileged user, an initial audit should be performed immediately, and subsequently on a quarterly basis.

5SpecificExamples–

The following five examples illustrate how an Active Directory Effective Privileged Access Audit can be used to to assess an organization's exposure to the Top-5 Active Directory Security Risks –

To identify who can replicate credentials from Active Directory, calculate effective permissions on the domain root object to identify who effectively has the Get Replication Changes All right.

To identify who can manage default Active Directory admin accounts & groups, calculate effective permissions on AdminSDHolder object to identify who effectively has various permissions.

To identify who can obtain access to most Active Directory objects, calculate effective permissions on the domain root and top-level OUs to identify who effectively has Modify permissions.

To identify who can link a GPO to the default Domain Controllers OU, calculate effective permissions on the Domain Controllers OU to identify who effectively has Link GPO permissions.

To identify who can obtain control of or modify specific IT assets in Active Directory, calculate effective permissions on all such objects to identify who effectively has relevant permissions.